Composer 2.7 and CVE-2024-24821: Code execution and possible privilege escalation
Please immediately update Composer to version 2.7.0 or 2.2.23 (composer.phar self-update). The new releases includes fixes for a code execution and possible privilege escalation via InstalledVersions.php or installed.php vulnerability (CVE-2024-24821) reported by Ed Cradock. The vulnerability...
blog.packagist.com
Please immediately update Composer to version 2.7.0 or 2.2.23 (composer.phar self-update). The new releases includes fixes for a code execution and possible privilege escalation via InstalledVersions.php or installed.php vulnerability (CVE-2024-24821) reported by Ed Cradock.
The vulnerability does not impact packagist.org and Private Packagist, but may impact you, as a user of Composer.
If you only run Composer commands on projects without a vendor directory or one containing only files that you trust to execute on your machine, and if you do not execute Composer as root and don't run it with sudo, you should not be impacted by the vulnerability. See below for a more detailed explanation.
You can view the full changelog for Composer 2.7 on GitHub: https://github.com/composer/composer/releases/tag/2.7.0